datatracker.ietf.org
Sign in
Version 5.12.0.p2, 2015-03-02
Report a bug

The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX
RFC 4945

Document type: RFC - Proposed Standard (August 2007; No errata)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html
IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned
IESG State: RFC 4945 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: pki4ipsec-chairs@ietf.org
Email Authors | IPR Disclosures | References | Referenced By | Check nits | History feed | Search Mailing Lists 
Network Working Group                                          B. Korver
Request for Comments: 4945                       Network Resonance, Inc.
Category: Standards Track                                    August 2007

 The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   The Internet Key Exchange (IKE) and Public Key Infrastructure for
   X.509 (PKIX) certificate profile both provide frameworks that must be
   profiled for use in a given application.  This document provides a
   profile of IKE and PKIX that defines the requirements for using PKI
   technology in the context of IKE/IPsec.  The document complements
   protocol specifications such as IKEv1 and IKEv2, which assume the
   existence of public key certificates and related keying materials,
   but which do not address PKI issues explicitly.  This document
   addresses those issues.  The intended audience is implementers of PKI
   for IPsec.

Korver                      Standards Track                     [Page 1]
RFC 4945            PKI Profile for IKE/ISAKMP/PKIX          August 2007

Table of Contents

   1. Introduction ....................................................4
   2. Terms and Definitions ...........................................4
   3. Use of Certificates in RFC 2401 and IKEv1/ISAKMP ................5
      3.1. Identification Payload .....................................5
           3.1.1. ID_IPV4_ADDR and ID_IPV6_ADDR .......................7
           3.1.2. ID_FQDN .............................................9
           3.1.3. ID_USER_FQDN .......................................10
           3.1.4. ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR_SUBNET,
                  ID_IPV4_ADDR_RANGE, ID_IPV6_ADDR_RANGE .............11
           3.1.5. ID_DER_ASN1_DN .....................................11
           3.1.6. ID_DER_ASN1_GN .....................................12
           3.1.7. ID_KEY_ID ..........................................12
           3.1.8. Selecting an Identity from a Certificate ...........12
           3.1.9. Subject for DN Only ................................12
           3.1.10. Binding Identity to Policy ........................13
      3.2. Certificate Request Payload ...............................13
           3.2.1. Certificate Type ...................................14
           3.2.2. X.509 Certificate - Signature ......................14
           3.2.3. Revocation Lists (CRL and ARL) .....................14
           3.2.4. PKCS #7 wrapped X.509 certificate ..................15
           3.2.5. Location of Certificate Request Payloads ...........15
           3.2.6. Presence or Absence of Certificate Request
                  Payloads ...........................................15
           3.2.7. Certificate Requests ...............................15
           3.2.8. Robustness .........................................18
           3.2.9. Optimizations ......................................18
      3.3. Certificate Payload .......................................19
           3.3.1. Certificate Type ...................................20
           3.3.2. X.509 Certificate - Signature ......................20
           3.3.3. Revocation Lists (CRL and ARL) .....................20
           3.3.4. PKCS #7 Wrapped X.509 Certificate ..................20
           3.3.5. Location of Certificate Payloads ...................21
           3.3.6. Certificate Payloads Not Mandatory .................21
           3.3.7. Response to Multiple Certification
                  Authority Proposals ................................21
           3.3.8. Using Local Keying Materials .......................21
           3.3.9. Multiple End-Entity Certificates ...................22
           3.3.10. Robustness ........................................22
           3.3.11. Optimizations .....................................23
   4. Use of Certificates in RFC 4301 and IKEv2 ......................24
      4.1. Identification Payload ....................................24
      4.2. Certificate Request Payload ...............................24
           4.2.1. Revocation Lists (CRL and ARL) .....................24
      4.3. Certificate Payload .......................................25
           4.3.1. IKEv2's Hash and URL of X.509 Certificate ..........25
           4.3.2. Location of Certificate Payloads ...................25

[include full document text]